Description
wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls.
Published: 2026-03-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass IP-based Rate Limiting and Ban Enforcement
Action: Apply Patch
AI Analysis

Impact

The wpDiscuz plugin contains an IP spoofing vulnerability in its getIP() function. The function trusts the HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR headers for determining the visitor's IP address without proper validation. An attacker can set these headers to a value that does not match the true client IP, thereby forging the originating address. The vulnerability allows the attacker to bypass IP-based rate limiting and ban enforcement that relies on the reported IP, potentially leading to spamming, brute‑force attacks, or denial of service through repeated actions by a spoofed IP.

Affected Systems

This issue affects the wpDiscuz plugin for WordPress made by gVectors. All versions of wpDiscuz prior to 7.6.47 are vulnerable. Installing version 7.6.47 or later removes the vulnerability.

Risk and Exploitability

The CVSS base score is 6.9, indicating medium severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring only the ability to send HTTP requests with custom headers to the target WordPress site. Because the exploitation only needs header manipulation, an attacker can perform it from anywhere without additional credentials.

Generated by OpenCVE AI on March 17, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wpDiscuz to version 7.6.47 or later
  • If upgrade cannot be performed immediately, configure the web server or WordPress to ignore or strip untrusted HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR headers, or set trusted proxies accordingly
  • Monitor logs for suspicious traffic and abnormal request patterns

Generated by OpenCVE AI on March 17, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls.
Title wpDiscuz before 7.6.47 - IP Address Spoofing in getIP()
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-348
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-13T16:09:19.907Z

Reserved: 2026-01-06T16:47:17.184Z

Link: CVE-2026-22201

cve-icon Vulnrichment

Updated: 2026-03-13T16:09:16.414Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:10.147

Modified: 2026-03-17T20:25:44.070

Link: CVE-2026-22201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:55Z

Weaknesses